<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Hello,</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span style="font-size: 12pt;">I recently came across a zip file attachment containing a malware exe that is not being banned by amavis.</span></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">The amavis configuration allows for zip but not exe files.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">If amavis is configured to ban zip files, amavis does recognize the file as zip and bans it.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">If the exe is unzipped first then sent, amavis does recognize the file as exe and bans it.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I checked and amavis is using the internal decoder for .zip files, which is able to manually unarchive the file.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I also tried to set the decoder to use 7z for zip, but the exe was still not banned.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Oddly, the maillog shows no warnings or errors. All other zip files containging exe's are properly banned.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">This is using amavisd-new-2.6.6 running on Ubuntu 10.04.4 LTS x64.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">The malware contained in the zip is dyreza, more info about the file can be found here.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div><font face="times new roman, new york, times, serif">https://www.virustotal.com/en/file/d60e70b89a9c8179bb7486d8a447d3100cfcff598746eaf9bffa15589e5eb9e8/analysis/</font></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br><br><div><span></span><div><div><div><div>Regards<br></div></div></div></div></div></div></div></body></html>